It’s 4:47 PM on a Friday. Someone from accounting just reported that “the internet is slow.” Your monitoring dashboard shows everything green. The router looks fine. The switch isn’t dropping packets. But the complaints keep coming.

You’ve probably been here. The frustration of knowing something is wrong but having no way to see what’s actually happening on the wire. That’s where Wireshark comes in—and why every IT professional should know how to use it.

This isn’t another surface-level overview. We’re going deep on the tool that lets you stop guessing and start seeing exactly what’s happening on your network.

Why Wireshark Matters More Than You Think

Here’s the uncomfortable truth: most network troubleshooting is educated guessing. You restart services, swap cables, reboot switches, and hope something fixes the problem. Sometimes it works. Sometimes you waste hours.

Wireshark changes the game because it shows you the actual conversation happening between devices. Not abstractions. Not logs. The raw packets—every request, every response, every retry, every failure.

According to the official Wireshark documentation, the tool supports over 3,000 network protocols. That’s not a typo. Whether you’re troubleshooting HTTP, DNS, TCP handshakes, or obscure industrial protocols, Wireshark can decode it.

And here’s what makes it particularly valuable for your career: the Wireshark Certified Analyst (WCA) credential is designed for IT professionals who need to analyze and troubleshoot network or application performance issues. It’s industry-recognized validation that you can identify, interpret, and resolve real-world network problems at the packet level. If you’re weighing which technical skills to prioritize in 2026, packet analysis belongs near the top of the list.

Installing Wireshark: The Part Everyone Gets Wrong

Getting Wireshark running sounds simple—download, install, done. But there’s a critical step most beginners skip that leaves them staring at a blank screen.

Windows Installation

Download Wireshark from wireshark.org. During installation, you’ll be prompted to install Npcap. This is the capture driver that lets Wireshark actually see network traffic.

If you skip Npcap, Wireshark opens fine but sees nothing. No interfaces. No packets. Just confusion.

Install Npcap with default settings. If you need to capture loopback traffic (traffic your computer sends to itself), check the “Support raw 802.11 traffic” and loopback options during Npcap setup.

Linux Installation

On Debian/Ubuntu systems:

sudo apt update
sudo apt install wireshark

Here’s the gotcha: by default, you need root privileges to capture packets. Running Wireshark as root works but is a security risk. The safer approach:

sudo usermod -aG wireshark $USER

Log out and back in for the group membership to take effect. Now you can capture without full root access.

For Red Hat/Fedora systems:

sudo dnf install wireshark
sudo usermod -aG wireshark $USER

If you want to build these command-line skills further, Shell Samurai offers interactive terminal challenges that reinforce Linux fundamentals—useful for anyone who needs to work with network tools in a Linux environment. For a broader foundation, check out our Linux basics guide for IT professionals.

macOS Installation

Download the macOS installer from wireshark.org or use Homebrew:

brew install --cask wireshark

macOS requires installing the “ChmodBPF” launch daemon to capture packets. The installer handles this, but you may need to allow it in System Preferences > Security & Privacy.

Your First Capture: Stop Clicking Randomly

Open Wireshark. You’ll see a list of network interfaces—your Ethernet adapter, Wi-Fi card, maybe some virtual interfaces if you run VMs or Docker.

Picking the Right Interface

Don’t just click the first one. Look at the small graph next to each interface. The one with activity (the moving line) is where your traffic flows.

For most desktop troubleshooting:

  • Wired connection: Select your Ethernet adapter
  • Wireless: Select your Wi-Fi adapter
  • Server with multiple NICs: Pick the interface facing the traffic you need to analyze

Starting a Basic Capture

  1. Select your interface
  2. Click the blue shark fin icon (or press Ctrl+E)
  3. Generate some traffic (browse a website, ping something)
  4. Click the red square to stop

You now have a packet capture. But if you’re staring at thousands of packets wondering what to do next—that’s normal. The real skill is filtering. (This is also why building a home lab is so valuable—you get practice without the pressure of a production incident.)

Display Filters: The Most Important Skill

Raw packet captures are overwhelming. A busy network generates thousands of packets per second. Wireshark’s filtering system lets you isolate exactly what matters.

The filter bar sits at the top of the packet list. Type a filter, press Enter, and Wireshark shows only matching packets. The bar turns green for valid filters, red for syntax errors.

Essential Filters Every IT Pro Needs

Filter by protocol:

http
dns
tcp
arp
icmp

Filter by IP address:

ip.addr == 192.168.1.100

This shows all traffic to OR from that IP. To filter only source or destination:

ip.src == 192.168.1.100
ip.dst == 10.0.0.1

Filter by port:

tcp.port == 443
udp.port == 53

Combine filters with AND/OR:

http && ip.addr == 192.168.1.100
dns || icmp
tcp.port == 80 && ip.src == 10.0.0.50

Exclude traffic (the NOT operator):

!arp
!(ip.addr == 192.168.1.1)

Filters for Common Troubleshooting Scenarios

See all DNS queries:

dns.qry.name

Find HTTP errors:

http.response.code >= 400

Identify slow TCP connections (retransmissions):

tcp.analysis.retransmission

Find failed TCP connections (RST packets):

tcp.flags.reset == 1

Filter HTTPS traffic (TLS handshakes):

tls.handshake

The Wireshark Wiki’s Display Filters page has hundreds more examples. Bookmark it.

Capture Filters: Reduce the Noise Before It Starts

Display filters work on already-captured packets. Capture filters tell Wireshark what to record in the first place. They use different syntax (based on Berkeley Packet Filter, or BPF) and are much more limited—but they’re essential when capturing on busy networks.

Why use capture filters? Because a gigabit network can fill gigabytes of disk space in minutes. Capture only what you need.

Common Capture Filter Syntax

Access capture filters through Capture > Options, or type directly in the capture filter bar before starting.

Traffic to/from a specific host:

host 192.168.1.100

Traffic on a specific port:

port 80
port 443

Traffic to a specific network:

net 10.0.0.0/24

Exclude specific traffic:

not port 22
host 192.168.1.100 and not port 443

Combine conditions:

host 10.0.0.5 and port 80

Important: capture filters use different syntax than display filters. tcp port 80 (capture) is not the same as tcp.port == 80 (display). The Wireshark Capture Filters Wiki documents the differences.

Real Troubleshooting: Solving Actual Problems

Theory is nice. Let’s solve real problems.

Problem 1: “The Website is Slow”

Someone reports that accessing internal.company.com takes forever. Let’s find out why.

Step 1: Capture relevant traffic

Start a capture, then reproduce the problem by accessing the slow website. Stop the capture.

Step 2: Filter for HTTP traffic to that host

http.host == "internal.company.com"

If it’s HTTPS:

tls.handshake.extensions_server_name == "internal.company.com"

Step 3: Look at timing

Click View > Time Display Format > Seconds Since Previous Displayed Packet. Now you can see delays between packets.

Step 4: Check for retransmissions

tcp.analysis.retransmission && ip.addr == [server IP]

Lots of retransmissions? That’s packet loss. Could be network congestion, bad cable, failing switch port.

Step 5: Analyze the TCP handshake

Find the SYN packet (the connection start). Right-click > Follow > TCP Stream to see the full conversation. Is the server responding slowly? Is DNS resolution taking too long?

Problem 2: “I Can’t Connect to the Server”

Users report they can’t reach a server, but you can ping it fine.

Step 1: Capture connection attempts

ip.addr == [server IP]

Step 2: Look for TCP RST packets

tcp.flags.reset == 1 && ip.addr == [server IP]

RST packets mean the connection is being rejected. Is the service running? Is a firewall blocking the port?

Step 3: Check for incomplete handshakes

A normal TCP connection shows: SYN → SYN-ACK → ACK. If you see SYN with no response, the server might be unreachable or a firewall is dropping packets silently.

Step 4: Examine the response

If you see SYN → RST, the port is closed. If you see SYN with no response, packets are being dropped (firewall, routing issue, or the server is down).

Problem 3: “DNS Isn’t Working”

Users can’t resolve domain names, but your DNS server appears healthy.

Step 1: Filter DNS traffic

dns

Step 2: Check query and response

Find the DNS query packet. Is there a response? If the query shows but no response appears, the DNS server isn’t answering.

Step 3: Examine the response content

Look at the response packet. Expand the “Answers” section in the packet details. Is it returning the correct IP? Is it returning NXDOMAIN (domain doesn’t exist) or SERVFAIL (server error)?

Step 4: Check timing

DNS should respond in milliseconds. If you’re seeing multi-second delays between query and response, your DNS server is overloaded or there’s network latency.

This kind of structured troubleshooting is exactly what the Wireshark Certified Analyst exam tests. It’s also the skill that separates “I think it’s a network problem” from “I can prove exactly where packets are being dropped.”

Following TCP Streams: See the Full Conversation

One of Wireshark’s most useful features for troubleshooting application issues is the ability to follow a complete TCP conversation.

Find any packet in the conversation you’re interested in. Right-click and select Follow > TCP Stream.

Wireshark shows you the entire conversation, color-coded:

  • Red: Data sent by the client
  • Blue: Data sent by the server

For HTTP traffic, you’ll see the full request and response, including headers. This is invaluable for debugging web application issues, API problems, or weird behavior that doesn’t show up in browser dev tools.

You can also follow:

  • UDP Stream: For DNS, DHCP, and other UDP protocols
  • TLS Stream: For encrypted HTTPS (shows the handshake, but not decrypted content without keys)
  • HTTP Stream: Specifically for HTTP conversations

Protocol Hierarchy: What’s Actually on Your Network?

Click Statistics > Protocol Hierarchy to see a breakdown of all protocols in your capture.

This view answers questions like:

  • What percentage of traffic is HTTP vs HTTPS?
  • Is there unexpected traffic (SMB on a network that shouldn’t have file sharing)?
  • How much DNS traffic is there?

Unexpectedly high percentages of certain protocols can reveal problems. Excessive ARP might indicate a scanning attack or misconfigured device. Lots of TCP retransmissions point to network quality issues.

Conversations and Endpoints: Who’s Talking to Whom?

Statistics > Conversations shows you every pair of communicating hosts and how much data they exchanged.

This helps identify:

  • Which host is generating the most traffic
  • Unexpected communication patterns
  • A device sending data to unknown external IPs (possible compromise)

Statistics > Endpoints shows similar data but for individual hosts rather than pairs.

Security Analysis: When Something Feels Wrong

Wireshark isn’t an intrusion detection system, but it can reveal suspicious activity when you know what to look for.

Signs of Port Scanning

tcp.flags.syn == 1 && tcp.flags.ack == 0

This shows SYN packets (connection attempts). If you see hundreds from one source to many destination ports on a single target, that’s a port scan.

Signs of DNS Tunneling

Unusual DNS traffic patterns can indicate data exfiltration:

  • Very long domain names in queries
  • Unusually large TXT record responses
  • High volume of queries to the same domain
dns.qry.name contains "suspiciousdomain.com"

Signs of Data Exfiltration

Large amounts of outbound traffic to unfamiliar IPs, especially on unusual ports, warrant investigation:

ip.dst != 10.0.0.0/8 && ip.dst != 172.16.0.0/12 && ip.dst != 192.168.0.0/16

This filters for traffic leaving your private network. Sort by bytes transferred to find the biggest talkers.

If you’re interested in building security analysis skills, platforms like TryHackMe and HackTheBox offer Wireshark-focused challenges that let you practice with real attack scenarios. This kind of hands-on analysis is exactly what cybersecurity career paths require—and why security roles are harder to automate than many other IT positions.

Building Your Filter Cheat Sheet

Here’s a reference table of filters you’ll use constantly:

PurposeFilter
All HTTP traffichttp
HTTP requests onlyhttp.request
HTTP responses onlyhttp.response
HTTP errors (4xx/5xx)http.response.code >= 400
DNS trafficdns
DNS queriesdns.flags.response == 0
DNS responsesdns.flags.response == 1
Failed DNS (NXDOMAIN)dns.flags.rcode == 3
TCP traffictcp
TCP SYN packetstcp.flags.syn == 1 && tcp.flags.ack == 0
TCP RST packetstcp.flags.reset == 1
TCP retransmissionstcp.analysis.retransmission
Traffic by IPip.addr == 192.168.1.100
Traffic by subnetip.addr == 192.168.1.0/24
Exclude an IP!ip.addr == 192.168.1.1
Traffic by porttcp.port == 443
ICMP (ping)icmp
ARP trafficarp

The Comparitech Wireshark Cheat Sheet has a downloadable PDF version worth keeping handy.

Capturing on Remote Systems

Sometimes the problem isn’t on your local network. You need to capture traffic on a remote server or a different network segment.

Using tcpdump to Capture Remotely

If you can SSH into a Linux server, tcpdump creates capture files that Wireshark can open:

sudo tcpdump -i eth0 -w capture.pcap

Then copy the file to your local machine and open it in Wireshark:

scp user@server:/path/to/capture.pcap .

For practice with these kinds of Linux command-line workflows, Shell Samurai provides structured exercises that build muscle memory with commands you’ll use in real troubleshooting.

Capturing on Switches

On managed switches, you can configure port mirroring (SPAN on Cisco devices) to copy traffic from one port to another where your capture system is connected.

The specifics vary by vendor, but the concept is the same: tell the switch to duplicate traffic so you can see it without being inline.

When Wireshark Won’t Help

Wireshark shows you what’s happening on the network. It can’t help with:

  • Problems above the network layer: If the application itself is buggy, you’ll see normal-looking network traffic. The issue is in the code.

  • Encrypted content: You can see that encrypted traffic exists, but not what’s inside (without the decryption keys).

  • Problems you can’t capture: If you’re not positioned to see the traffic (wrong network segment, firewall blocking capture), Wireshark sees nothing.

  • Things that require network knowledge: Wireshark assumes you understand protocols. If you don’t know how DNS should work, you won’t recognize when it’s broken.

This last point is important. Wireshark makes you more effective only if you understand the fundamentals. Resources like Linux Journey for system fundamentals and Professor Messer’s Network+ videos for networking concepts build the foundation that makes packet analysis useful. Our IT career advice for beginners covers other foundational skills worth developing early.

Making Wireshark a Career Asset

Network analysis skills separate “I think the network is the problem” from “I can prove exactly what’s happening.” That’s a valuable distinction.

Roles where Wireshark proficiency matters most:

  • Network Administrator/Engineer: Obviously. Daily troubleshooting requires this. See our network engineer career guide for the full path.
  • Security Analyst/SOC Analyst: Incident investigation often requires packet-level analysis. The cybersecurity certifications guide covers what else you’ll need. See our cybersecurity careers topic hub for the full picture.
  • System Administrator: When applications misbehave, network captures often reveal why. If you’re moving from help desk to sysadmin, this is a key skill to develop.
  • DevOps/SRE: Understanding how services communicate helps debug distributed systems. Check the DevOps career guide for the broader skillset.

The Wireshark Certified Analyst credential validates these skills formally. It’s particularly relevant for security operations and network engineering positions.

If you’re building toward network-focused roles, Wireshark pairs well with certifications like CompTIA Network+ or Cisco CCNA. Browse our IT certifications topic hub for guides on specific certs. The hands-on skill of packet analysis complements the theoretical knowledge those certs require.

Practice Without Breaking Things

Before you capture on production networks, practice in safe environments:

  1. Your home network: Capture your own browsing, see how HTTP, DNS, and TLS actually work.

  2. Virtual labs: Set up VMs with VirtualBox and capture traffic between them.

  3. Sample captures: Wireshark’s Sample Captures page provides real-world captures for practice.

  4. CTF challenges: Many capture-the-flag competitions include network forensics challenges using pcap files. This is great practice if you’re getting into ethical hacking.

  5. TryHackMe Wireshark rooms: TryHackMe has dedicated Wireshark training rooms that walk through analysis scenarios.

Next Steps

You now have the foundation to use Wireshark for real troubleshooting. Here’s where to go next:

Immediate practice: Capture your own network traffic for 5 minutes. Apply the filters you learned. Follow some TCP streams. Get comfortable with the interface.

Build protocol knowledge: The better you understand TCP, HTTP, DNS, and other protocols, the more useful your captures become. The Wireshark User’s Guide goes deep on specific protocols.

Learn capture strategy: Knowing where to capture and when is as important as knowing how. Enterprise networks require thinking about switch port mirroring, network taps, and capture placement.

Explore advanced features: Wireshark can decrypt TLS (with keys), reassemble file transfers, decode VoIP calls, and much more. Each feature is worth learning when you need it.

The tool is free. The learning curve is real but manageable. And the ability to see exactly what’s happening on your network—that’s a skill that makes you significantly more effective.

If you’re unsure which skills to prioritize next, our guide on what IT certification to get can help you map out the path, and the bash scripting tutorial covers another essential tool for IT troubleshooting and automation.

FAQ

Using Wireshark on networks you own or administer (with authorization) is legal. Capturing traffic on networks without permission is illegal in most jurisdictions—it’s essentially wiretapping. Always get explicit authorization before capturing on any network you don’t control.

Can Wireshark capture HTTPS traffic?

Wireshark can see that HTTPS traffic exists and capture the encrypted packets, but it cannot decrypt the content without access to the session keys. There are methods to configure browsers to log session keys for analysis, but that only works for your own traffic. You can’t decrypt someone else’s HTTPS traffic without their keys.

How much disk space does a capture need?

It depends on network utilization. A busy gigabit network can generate 100+ MB per second. Use capture filters to limit what you record, or set a file size limit in Capture > Options. For most troubleshooting, a few minutes of filtered capture is usually enough.

Do I need Wireshark certification?

The Wireshark Certified Analyst (WCA) credential is valuable for network-focused roles, particularly in security operations and network engineering. However, demonstrated skill matters more than the cert itself. If you can solve problems with Wireshark in interviews or on the job, that speaks louder than a credential. For more on the certifications vs. experience debate, we’ve covered what actually gets you hired.

What’s the difference between Wireshark and tcpdump?

Both capture packets. tcpdump is command-line only and runs on servers without GUIs—ideal for remote systems. Wireshark has a graphical interface and more advanced analysis features. Most IT pros use tcpdump to capture on remote systems, then analyze the resulting .pcap files in Wireshark locally.